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We exhibit assertion-preserving (reachability preserving) transformations from parameterized con- 
current shared-memory programs, under a £-round scheduling of processes, to sequential programs. 
The salient feature of the sequential program is that it tracks the local variables of only one thread at 
any point, and uses only 0(k) copies of shared variables (it does not use extra counters, not even one 
counter to keep track of the number of threads). Sequentialization is achieved using the concept of a 
linear interface that captures the effect an unbounded block of processes have on the shared state in 
a A;-round schedule. Our transformation utilizes linear interfaces to sequentialize the program, and to 
ensure the sequential program explores only reachable states and preserves local invariants. 

1 Introduction 

The theme of this paper is to build verification techniques for parameterized concurrent shared-memory 
programs: programs with unboundedly many threads, many of them running identical code that concur- 
rently evolve and interact through shared variables. Parameterized concurrent programs are extremely 
hard to check for errors. Concurrent shared-memory programs with a finite number of threads are already 
hard, and extending existing methods for sequential programs, like Floyd-Hoare style deductive verifi- 
cation, abstract inteipretation, and model-checking, is challenging. Parameterized concurrent programs 
are even harder. 

A recent proposal in the verification community to handle concurrent program verification is to re- 
duce the problem to sequential program verification. Of course, this is not possible, in general, unless the 
sequential program tracks the entire configuration of the concurrent program, including the local state 
of each thread. However, recent research has shown efficient sequentializations for concurrent programs 
with finitely many threads when restricted to & fixed number of rounds of schedule (or a fixed number of 
context-switches) |[T5l[T2l . A round of schedule involves scheduling each process, one at a time in some 
order, where each process is allowed to take an arbitrary number of steps. 

The appeal of sequentialization is that by reducing concurrent program verification to sequential 
program verification, we can bring to bear all the techniques and tools available for the analysis of 
sequential programs. Such sequentializations have been used recently to convert concurrent programs 
under bounded round scheduling to sequential programs, followed by automatic deductive verification 
techniques based on SMT solvers lfl4ll . in order to find bugs (see also lH). The goal of this paper is to find 
a similar translation for parameterized concurrent programs where the number of threads is unbounded. 
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Again, we are looking for an efficient translation — to convert a parameterized concurrent program to a 
sequential program so that the latter tracks the local state of at most one thread at any time, and uses 
only a bounded number of copies of shared variables. 

The motivation for the bounded round restriction is inspired from recent research in testing that 
suggests that most concurrency errors manifest themselves within a few context-switches (executions can 
be, however, arbitrarily long). The CHESS tool from Microsoft Research, for example, tests concurrent 
programs only under schedules that have a bounded number of context-switches (or pre-emptions) iTTTl . 
In the setting where there is an unbounded number of threads, the natural extension of bounded context- 
switching is bounded-round context-switching, as the latter executes schedules that allow all threads in 
the system to execute (each thread is context-switched into a bounded number of times). Checking a 
parameterized program to be correct for a few rounds gives us considerable confidence in its correctness. 

The main result of this paper is that efficient sequentializations of parameterized programs are also 
feasible, when restricted to bounded-round context-switching schedules. More precisely, we show that 
given a parameterized program P with an unbounded number of threads executing under fc-round sched- 
ules and an error state e, there is an effectively constructive (non-deterministic) sequential program 5 
with a corresponding error state e' that satisfies the following: (a) the error state e is reachable in P iff 
the error state e' is reachable in S, (b) a localized state (the valuation of a thread's local variables and the 
shared variables) is reachable in P iff it is reachable in S — in other words, the transformation preserves 
assertion invariants and explores only reachable states, (we call such a transformation lazy), and (c) S 
at any point tracks the local state of only one thread and at most 0(k) copies of shared variables, and 
furthermore, uses no additional unbounded memory such as counters or queues. 

The existence of a transformation of the above kind is theoretically challenging and interesting. First, 
when simulating a parameterized program, one would expect that counters are necessary — for instance, 
in order to simulate the second round of schedule, it is natural to expect that the sequential program 
must remember at least the number of threads it used in the first round. However, our transformation 
does not introduce counters. Second, a lazy transformation is hard as, intuitively, the sequential program 
needs to return to a thread in order to simulate it, and yet cannot keep the local state during this process. 
The work reported in lfT2l achieves such a lazy sequentialization for concurrent programs with finitely 
many threads using recomputation of local states. Intuitively, the idea is to fix a particular ordering 
of threads, and to restart threads which are being context-switched into to recompute their local state. 
Sequentializing parameterized concurrent programs is significantly harder as we, in addition, do not even 
know how many threads were active or how they were ordered in an earlier round, let alone know the 
local states of these threads. 

Our main technical insight to sequentialization is to exploit a concept called linear interface (intro- 
duced by us recently lfT3l to provide model-checking algorithms for Boolean parameterized systems). 
A linear interface summarizes the effect of an unbounded block of processes on the shared variables in 
a ^-rounds schedule. A linear interface is of the form (u,v) where u and v are ^-tuples of valuations 
of shared variables. A block of threads have a linear interface (u,v) if, intuitively, there is an execu- 
tion which allows context-switching into this block with u\ and context-switch out at v/, for i growing 
consecutively from 1 tofc, while preserving the local state across the context-switches (see Figured). 

In classic verification of sequential programs with recursion (in both deductive verification as well as 
model-checking), the idea of summarizing procedures using pre-post conditions (or summaries in model- 
checking algorithms) is crucial in handling the infinite recursion depth. In parameterized programs, linear 
interfaces have a similar role but across a concurrent dimension: they capture the pre-post condition for 
a block of unboundedly many processes. However, because a block of processes has a persistent state 
across two successive rounds of a schedule (unlike a procedure called in a sequential program), we cannot 
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summarize the effect of a block using a pre-post predicate that captures a set of pairs of the form (w,v). 
A linear interface captures a sequence of length k of pre-post conditions, thus capturing in essence the 
effect of the local states of the block of processes that is adequate for a &-round schedule. 

Our sequentialization synthesizes a sequential program that uses a recursive procedure to compute 
linear interfaces. Intuitively, linear interfaces of the parameterized program correspond to procedural 
summaries in the sequential program. Our construction hence produces a recursive program even when 
the parameterized program has no recursion. However, the translation also works when the parameterized 
program has recursion, as the program's recursion gets properly nested within the recursion introduced 
by the translation. 

Our translations work for general programs, with unbounded data-domains. When applied to param- 
eterized programs over finite data-domains, it shows that a class of parameterized pushdown systems 
(finite automata with an unbounded number of stacks) working under a bounded round schedule, can be 
simulated faithfully by a single-stack pushdown system (see Section 4.2). 

The sequentialization provided in this paper paves the way to finding errors in parameterized con- 
current programs with unbounded data domains, up to a bounded number of rounds of schedule, as it 
allows us to convert them to sequential programs, in order to apply the large class of sequential analysis 
tools available — model-checking, testing, verification-condition generation based on SMT solvers, and 
abstraction-based verification. The recent success in finding errors in concurrent systems code (for a 
finite number of threads) using a sequentialization and then SMT-solvers IPT41 I61 lends credence to this 
optimism. 

Related work. The idea behind bounding context-switches is that most concurrency errors manifest 
within a few switches |[20l [I6l . The CHESS tool from Microsoft espouses this philosophy by test- 
ing concurrent programs by systematically choosing all schedules with a small number of preemp- 
tions [17]- Theoretically, context-bounded analysis was motivated for the study of concurrent programs 
with bounded data-domains and recursion, as it yielded a decidable reachability problem lfl9l . and has 
been exploited in model-checking l2Tl[T5l[Tll . In recent work lfT3l . we have designed model-checking 
algorithms for Boolean abstractions of parameterized programs using the concept of linear interfaces; 
these work only for bounded data domains and also do not give sequentializations. 

The first sequentialization of concurrent programs was proposed for a finite number of threads and 
two context-switches EUl . followed by a general eager conversion that worked for arbitrary number of 
context-switches lH5l . and a lazy conversion proposed by us in |[T2l . Sequentialization has been used 
recently on concurrent device drivers written in C with dynamic heaps, followed by using proof-based 
verification techniques to find bugs [14]. A sequentialization for delay-bounded schedulers that allows 
exploration of concurrent programs with dynamic thread creation has been discovered recently [6]- Also, 
in recent work, it has been established that any concurrent program with finitely many threads that can 
be reasoned with compositionally, using a rely-guarantee proof, can be sequentialized 0. 

A recent paper proposes a solution using Petri net reachability to the reachability problem in concur- 
rent programs with bounded data domains and dynamic creation of threads, where a thread is context- 
switched into only a bounded number of times (T). Since dynamic thread creation can model unbound- 
edly many threads, this framework is more powerful (and much more expensive in complexity) than ours, 
when restricted to bounded data-domains. 

There is a rich history of verifying parameterized asynchronously communicating concurrent pro- 
grams, especially motivated by the verification of distributed protocols. We do not survey these in detail 
(see |H [ini HEl [HI |2l, for a sample of this research). 
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2 Preliminaries 



Sequential recursive programs. Let us fix the syntax of a simple sequential programming language 
with variables ranging over only the integer and Boolean domains, with explicit syntax for nondeter- 
minism, and (recursive) function calls. For simplicity of exposition, we do not consider dynamically 
allocated structures or domains other than integers; however, all results in this paper can be easily ex- 
tended to handle such features. 

Sequential programs are described by the following grammar: 



(seq-pgm) 
(vardec) 
{type) 
(sprocedure) 
(seq-stmt) : 



(expr) 
(b-expr) 



(vardec); {sprocedure)* 
(type) x j (vardec); (vardec) 
int | bool 

((type) | void)/(xi , . . . ,*/,) begin (vardec); (seq-stmt) end 
(seq-stmt); (seq-stmt) | skip | x := (expr) | assume((fr-expr}) | 
call f(x\,. . . ,xi t ) | returns | while ((b-expr)) do (seq-stmt) od 
if ((b-expr)) then (seq-stmt) else (seq-stmt) f i | assert (b-expr) 
x\c\ f{y\,...,yh) I (b-expr) 
T | F | * | x | -i (b-expr) \ (b-expr) V (b-expr) 



Variables are scoped in two ways, either as global variables shared between procedures, or variables 
local to a procedure, according to where they are declared. Functions are all call-by-value. Some func- 
tions / may be interpreted to have existing functionality, such as integer addition or library functions, in 
which case their code is not given and we assume they happen atomically. We assume the program is 
well-typed according to the type declarations. 

Note that Boolean expressions can be true, false, or non-deterministically true or false (*), and hence 
programs are non-deterministic (which will be crucial as we will need to simulate concurrent programs, 
which can be non-deterministic). These non-deterministic choices can be replaced as inputs in a real 
programming language if we need to verify the sequential program. 

Let us assume that there is a function main, which is the function where the program starts, and that 
there are no calls to this function in the code of P. The semantics of a sequential program P is the obvious 
one. 

The assert statements form the specification for the program, and express invariants that can involve 
all variables in scope. Note that reachability of a particular statement can be encoded using an assert 
F at that statement. 



Parameterized programs with a fixed number of shared variables. We are interested in concurrent 
programs composed of several concurrent processes, each executing on possibly unboundedly many 
threads {parameterized programs). All threads run in parallel and share a fixed number of variables. 

A concurrent process is essentially a sequential program with the possibility of declaring sets of 
statements to be executed atomically, and is given by the following grammar (defined as an extension on 
the syntax for sequential programs): 

{process) ::= process P begin (vardec); (cprocedure)* end 
(cprocedure) ::= ((type) | void)/(jci, ... ,Xh) begin (vardec); (cone -stmt) end 
(conc-stmt) ::= (conc-stmt);(conc-stmt) \ (seq-stmt) | atomic begin (seq-stmt) end 
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The syntax for parameterized programs is obtained by adding the following rules: 

(param-pgm) ::= (vardec) (init) (process)* 
(init) ::= (seq-stmt) 

Variables in a parameterized program can be scoped locally, globally (i.e. to a process at a partic- 
ular thread) or shared (shared amongst all processes in all threads, when declared before init). The 
statements and assertions in a parameterized program can refer to all variables in scope. 

Each parameterized program has a sequential block of statements, init, where the shared variables 
are initialized. The parameterized program is initialized with an arbitrary finite number of threads, each 
thread running a copy of one of the processes. Dynamic creation of threads is not allowed. However, 
dynamic creation can be modeled (at the cost of a context-switch per created thread) by having threads 
created in a "dormant" state, which get active when they get a message from the parent thread to get 
created. 

An execution of a parameterized program is obtained by interleaving the behaviors of the threads 
which are involved in it. 

Formally, let & = (S, init,{P,-}" =1 ) be a parameterized program where S is the set of shared vari- 
ables and Pj is a process for i = 1 , . . . , n. We assume that each statement of the program has a unique 
program counter labeling it. A thread T of is a copy (instance) of some F; for i = 1, . . . ,n. At any 
point, only one thread is active. For any m > 0, a state of & is denoted by a tuple (map, i, s, 0\ , . . . , a m ) 
where: (1) map : [l,m] — > P is a mapping from threads T\,...T m to processes, (2) the thread which is 
currently active is 7), where i G [l,m] (3) s is a valuation of the shared variables, and (4) a ; - (for each 
j € is a local state of Tj. Note that each Cy is a local state of a process, and is composed of a 

valuation of the program counter, local, and global variables of the process, and a call-stack of local 
variable valuations and program counters to model procedure calls. 

At any state (map, i,s,G\, . . . ,G,„), the valuation of the shared variables s is referred to as the shared 
state. A localized state is the view of the state by the current process, i.e. it is (a,-,s), where a, is the 
component of a, that defines the valuation of local and global variables, and the local pc (but not the 
call-stack), and s is the valuation of the shared variables in scope. Note that assertions express properties 
of the localized state only. Also, note that when a thread is not scheduled, the local state of its process 
does not change. 

The interleaved semantics of parameterized programs is given in the obvious way. We start with an 
arbitrary state, and execute the statements of init to prepare the initial shared state of the program, after 
which the threads become active. Given a state (map, i,v,Oy,... , a m ), it can either fire a transition of 
the process at thread 7} (i.e., of process map(i)), updating its local state and shared variables, or context- 
switch to a different active thread by changing i to a different thread-index, provided that in 7} we are not 
in a block of sequential statements to be executed atomically. 

Verification under bounded round schedules: Fix a parameterized program = (S, init, {P;}" =1 ). 
The verification problem asks, given a parameterized program 8P, whether every execution of the pro- 
gram respects all assertions. 

In this paper, we consider a restricted verification problem. A Ground schedule is a schedule that, 
for some ordering of the threads T\ , . . . , T m , activates threads in k rounds, where in each round, each 
thread is scheduled (for any number of steps) according to this order. Note that an execution under a k- 
round schedule (k-round execution) can execute an unbounded number of steps. Given a parameterized 
program and k € N, the verification problem for parameterized programs under bounded round schedules 
asks whether any assertion is violated in some fc-round execution. 
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Figure 1 : A linear interface 
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3 Linear interfaces 

We now introduce the concept of a linear interface, which captures the effect a block of processes has on 
the shared state, when involved in a Ground execution. The notion of linear interfaces will play a major 
role in the lazy conversion to sequential programs. 

We fix a parameterized program 3* = (S, init, ) and a bound k > on the number of rounds. 

Notation: let u = (ui, . . . , where each is a shared state of 3. 

A pair of ^-tuples of shared variables (u, v) is a linear interface of length k (see Figure 1) if: (a) there 
is an ordered block of threads T\ , . . . , T m (running processes of (b) there are k rounds of execution, 
where each execution starts from shared state iij, exercises the threads in the block one by one, and ends 
with shared state v,- (for example, in Figure 1, the first round takes u\ through states s\, t\, s\, t\ , . . . to t x m 
where the shared state is vi), and (c) the local state of threads is preserved between consecutive rounds 
(in Figure 1, for example, t\ and s\ have the same local state). Informally, a linear interface is the effect a 
block of threads can have on the shared state in a fc-round execution, in that they transform u to v across 
the block. 

Formally, we have the following definition (illustrated by Figure [B. 
Definition 1 (Linear interface) ftl3]l 

Let u = (u\ , . . . , Uk) and v= (vi , . . . , Vk) be tuples ofk shared states of a parameterized program ( with 
processes P). 

The pair (u,v) is a linear interface of & of length k if there is some number of threads m 6 N, an 
assignment of threads to processes map : [l,m] — )• P and states sj = (map,i,xj, a[ J , . . . , Cm) and tj = 
(map,i,y J i ,'f{ J ,...,ytt) of 3 s fori e [l,m] and y'G such that for each i G 

• x\ = Uj andy ] m = Vj,for each j E [l,k]; 

• tj is reachable from sj using only local transitions of process map{i), for each j € \\,k\; 

• a\' is an initial local state for process map(i); 

• a ( -' ;+1 = for each j G [1,^—1] (local states are preserved across rounds); 

• = yf, except when i = m (shared states are preserved between context-switches of a single 
round); 

• {tj,sj +1 ), except when i = m, is a context-switch. □ 
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Note that the above definition of a linear interface places no restriction on the relation between vj 
and Uj + \ — all that we require is that the block of threads must take as input u and compute v in the k 
rounds, preserving the local configuration of threads between rounds. 

A linear interface (u,v) of length k is wrapped if v; = Ui + \ for each i € 1], and is initial if u\is 

an initial shared state of 

For a wrapped initial linear interface, from the definition of linear interfaces it follows that the k 
pieces of execution demanded in the definition can be stitched together to get a complete execution of 
the parameterized program, that starts from an initial state. We say that an execution conforms to a 
particular linear interface if it meets the condition demanded in the definition. 

Lemma 1 H13\l Let be a parameterized program. An execution of & is under a k-round schedule iff 
it conforms to some wrapped initial linear interface of & of length k. □ 

Hence to verify a program under &-round schedules, it suffices to check for failure of assertions 
along executions that conform to some wrapped initial interface of length k. 

4 Sequentializing parameterized programs 

In this section, we present a sequentialization of parameterized programs that preserves assertion sat- 
isfaction. Our translation is "lazy" in that the states reachable in the resulting program correspond to 
reachable states of the parameterized program. Thus, it preserves invariants across the translation: an 
invariant that holds at a particular statement in the concurrent program will hold at the corresponding 
statement in the sequential program. 

A simpler eager sequentialization scheme for parameterized programs that reduces reachability of 
error states for parameterized programs but explores unreachable states as well, can be obtained by a 
simple adaptation of the translation from concurrent programs with finitely many threads to sequential 
programs given in lfl5l . This scheme consists of simulating each thread till completion across all the 
rounds, before switching to the next thread, and then, at the end, checking if the execution of all the 
threads conesponds to an actual execution of the parameterized program. Nondeterminism is used to 
guess the number of threads, the schedule, and the shared state at the beginning of each round. However, 
this translation explores unreachable states, and hence does not preserve assertions across the translation. 

Motivating laziness: A lazy translation that explores only localized states reachable by a parameter- 
ized program has obvious advantages over an eager translation. For example, if we subject the sequential 
program to model-checking using state-space exploration, the lazy sequentialization has fewer reachable 
states to explore. The lazy sequentialization has another interesting consequence, namely that the sequen- 
tial program will not explore unreachable parts of the state-space where invariants of the parameterized 
program get violated or where executing statements leads to system errors due to undefined semantics 
(like division-by-zero, buffer-overflows, etc.), as illustrated by the following example. 

Example 1 Consider an execution of the parameterized program & from Figure [2] The program in- 
volves only two threads: T\ which executes P\ and T% which executes P2. Observe that any execution of 
T\ cycles on the while-loop until T2 sets blocked to false. But before this, T2 sets y to 1 and hence the 
assertion (y 7^ 0) is true in P\. However, in an execution of the simpler eager sequentialization, we would 
simulate Pi for k rounds and then simulate P2 through k rounds. In order to simulate P\, the eager trans- 
lation would guess non-deterministically a k-tuple of shared variables u\ , . . . ,u/,. Consider an execution 
where u\ assigns blocked to be true, and U2 assigns blocked to false and y to 0. The sequential program 
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bool blocked := T ; 
int x := 0, y := 0; 



process Pi : 



process P%: 



main() begin 
while {blocked) do 



main( ) begin 
x:= 12; 
y:=2; 

blocked := F ; //unblock P\ 
end 



skip ; 



od 

assert (y ! =0) ; 

x :=x/y; 



end 



Figure 2: Assertion not preserved by the eager sequentialization. 



would, in its simulation of P\ in the first round, reach the while-loop, and would jump to the second 
round to simulate P\ from u-i- Note that the assertion condition would fail, and will be duly noted by the 
sequential program. But if the assertion wasn't there, the sequentialization would execute the statement 
x := x/y, which would results in a "division by zero" exception. In short, (y ^ 0) is not an invariant for 
the statement x := x/y in the eager sequentialization. The lazy translation presented in the next section 
avoids such scenarios. □ 

4.1 Lazy sequentialization 

Without loss of generality, we fix a parameterized program = (S, init, {P}) over one process. Note 
that this is not a restriction, as we can always build P so that it makes a non-deterministic choice at the 
beginning, and decides to behave as one of a set of processes. We also replace functions with return val- 
ues to void functions that communicate the return value to the caller using global (unshared) variables. 
Finally, we fix a bound k > on the number of rounds. 

We perform a lazy sequentialization of a parameterized program by building a sequential program 
that computes linear interfaces. More precisely, at the core of our construction is a function linear _int 
that takes as input a set of valuations of shared variables (tti vi , ... v;_i ) (for some 1 < i < k) and 
computes a shared valuation s such that ((ki , . . . , k/) , (vi , . . . , Vj_i , *)) is a linear interface. We outline 
how this procedure works below. 

The procedure linear _int will require the following pre-condition, and meet the following post- 
condition and invariant when called with the input (u\, . . . ,m,-, vi, . . . v,_i): 

Precondition: There is some vo, an initial shared state, such that ((vo,Vi, . . . v,_i), (mi,M2, • • •«;)) is a 
linear interface. 

Postcondition: The value of the shared state at the return, s, is such that ((m, . . . ,Mj), (vi, . . .v;_i,s}) is 
a linear interface. 

Invariant: At any point in the execution of linear _int, if the localized state is (o,s), and a statement 
of the parameterized program is executed from this state, then (a, s) is a localized state reached in 
some execution of 2?. 

Intuitively, the pre-condition says that there must be a "left" block of threads where the initial com- 
putation can start, and which has a linear interface of the above kind. This ensures that all the Uj's are 
indeed reachable in some computation. Our goal is to build linear _int to sequentially compute, using 
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nondeterminism, any possible value of s such that ((i<i, . . . ,it,-), (vi, . . .v,-_i, s)) is a linear interface (as 
captured by the post-condition). The invariant above assures laziness; recall that the laziness property 
says that no statement of the parameterized program will be executed on a localized state of the sequential 
program that is unreachable in the parameterized program. 

Let us now sketch how linear_int works on an input (u\,... ,w/,vi,. . . v,-_i). First, it will decide 
non-deterministically whether the linear interface is for a single thread (by setting a variable last to T, 
signifying it is simulating the last thread) or whether the linear interface is for a block of threads more 
than one (in which case last is set to F). 

It will start with the state (<7i,wi) where 0\ is an initial local state of P, and simulate an arbitrary 
number of moves of P, and stop this simulation at some point, non-deterministically, ending in state 
(a[,u\). At this point, we would like the computation to "jump" to state {a[,u<i), however we need first 
to ensure that this state is reachable. 

If last = T, i.e. if the thread we are simulating is the last thread, then this is easy, as we can simply 
check if u\ =V\. If last = F, then linear _int determines whether (o^, W2) is reachable by calling itself 
recursively on the tuple (u[), getting the return value s, and checking whether s = v\. In other words, we 
claim that (a[,U2) is reachable in the parameterized program if (u\,v\) is a linear interface. 

Here is a proof sketch. Assume (w'^vi) is a linear interface; then by the pre-condition we know that 
there is an execution starting from a shared initial state to the shared state u\. By switching to the current 
thread 7}, and using the local computation of process P just witnessed, we can take the state to u\ (with 
local state oj), and since (u[,v\) is a linear interface, we know there is a "right" block of processes that 
will somehow take us from u\ to vi. Again by the pre-condition, we know that we can continue the 
computation in the second round, and ensure that the state reaches ui, at which point we switch to the 
current thread 7},, to get to the local state (<j{,i<2). 

The above argument is the crux of the idea behind our construction. In general, when we have reached 
a local state (a/, u'j), linear _int will call itself on the tuple u\ , . . . , u'p Vi, . . . v,-_i, get the return value s 
and check if s = v,-, before it "jumps" to the state (a/,w, + i). Note that when it calls itself, it maintains 
the pre-condition that there is a vo such that ((vo,vi, . . . v,-_i), (u\ ,...,«,)) is a linear interface by virtue 
of the fact that the pre-condition to the current call holds, and by the fact that the values u[,...,u' t were 
computed consistently in the current thread. 

The soundness of our construction depends on the above argument. Notice that the laziness invariant 
is maintained because the procedure calls itself to check if there is a "right" block whose linear interface 
will witness reachability, and the computation involved in this is assured to meet only reachable states 
because of its pre-condition which demands that there is a "left" -block that assures an execution. 

Completeness of the sequentialization relies on several other properties of the construction. First, we 
require that a call to linear _int returns all possible values of s such that ((u\ , . . . , ui) , (vi , . . . v;_i, s)) is 
a linear interface. Moreover, we need that for every execution corresponding to this linear interface and 
every local state (a, s) seen along such an execution, the local state is met along some run of linear _int. 
It is not hard to see that the above sketch of linear _int does meet these requirements. 

Notice that when simulating a particular thread, two successive calls to linear _int may result in 
different depths of recursive calls to linear_int, which means that a different number of threads are 
explored. However, the correctness of the computation does not depend on this, as correctness only 
relies on the fact that linear_int computes a linear interface, and the number of threads in the block 
that witnesses this interface is immaterial. This property of a linear interface that encapsulates a block 
of threads no matter how their internal composition is, is what makes a sequentialization without extra 
counters possible. 

We will have a main function that drives calls to linear _int, calling it to compute linear interfaces 
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Denote q t j =qi,...,qj 








Let s be the shared variables and g 


the global variables of 




bool atom, terminate ; 








main( ) 




Interlined code: 




begin 




if (terminate) then return; fi 




Let q\,...,q^ be of type of 


s; 


if (-latom) then 




int i = 1 ; 




while (*) do 




atom := F ; 




if (last) then 




call init () ; 




if ( 7 = bound) then 




m -=gl 




terminate := T ; return 




while (i < k) do 




else assume (q'j = s) ; 




terminate := F ; 




;'++; s:=qj\ 




call linear _int(^j ^,^2 ' 


); 


fi 




/++; 




else 




if < &) then 




<7j := s; save:= g; 




qi :=s; 




call linear _int(<?j ^q^ k _ 




fi 




if (j = bound) then return; 


od 




else assume (q'j = s) ; g: 




return; 




terminate '. = F ; j++ ; s := 


= qj; 


end 




fi 








fi 








od 








fi 





Figure 3: Function main and interlined control code of the sequential program £?£ zy . 

starting from a shared state u\ that is an initial shared state. Using successive calls, it will construct 
linear interfaces of the form (u\ , . . . , tt;, vi , . . . , v;) maintaining that vj = uj + \, for each j < i. This will 
ensure that the interfaces it computes are wrapped interfaces, and hence the calls to linear_int meet 
the latter's pre-condition. When it has computed a complete linear interface of length k, it will stop, as 
any localized state reachable in a &-round schedule would have been seen by then (see LemmaQ]). 

The syntactic transformation. The sequential program ^" z> obtained from & in the lazy sequential- 
ization consists of the function init of a new function main, a function linear _int, and for every 
function / other than main in a function f laz y. The function main of 9 s . ® is shown in Figure[3] The 
function linear _int is obtained by transforming the main function in the process of the parameterized 
program, by interlining the code shown in Figure [3] between every two statements. Each functions f lazy 
is obtained from / similarly by inserting the same interlined code. Clearly, in these transformations each 
call to / gets replaced with a call to f laz y. 

The interlined code allows to interrupt the simulation of a thread (provided we are not in an atomic 
section), and either jump directly to the next shared state (if last = 1) or call recursively linear _int to 
ensure that jumping to the next shared state will explore a reachable state. Observe that before calling 
linear_int recursively from the interlined code, we copy g (i.e., the value of P's global variables) to 
the local variables save, and after returning, copy it back to g to restore the local state. 

The global variables of 9 k ® includes all global and shared variables of , as well as two extra 
global Boolean variables atom and terminate. The variable atom is used to flag that the simulation is 
within an atomic block of instructions where context-switches are prohibited. The variable terminate is 
used to force the return from the most recent call to linear_int in the call stack (thus all the function 
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calls which are in the call stack up to this call are also returned). This variable is set false in the beginning 
and after returning each call to linear_int. 

Function main uses k copies of the shared variables denoted with q\,. .. ,qt- It calls init and then 
iteratively calls linear _int with i = l,...,k. Variable 171 is assigned in the beginning and at each 
iteration i < k the value of the shared variables is stored in qt + \ . 

Function linear_int is defined with formal parameters q = (^i,...,^), q' = (q' l ,...,q' k _ l ) and 
bound. Variable bound stores the bound on the number of rounds to execute in the current call to 
linear _int. 

The variable atom is set to true when entering an atomic block and set back to false on exiting it. The 
interlined code refers to variables last and j. The variable last is nondeterministically assigned when 
linear _int starts. Variable j counts the rounds being executed so far in the current call of linear _int 
(j is initialized to 1). 

We also insert "assume(F);" before each return statement of linear_int which is not part of the 
interlined code; this prevents a call to linear_int to be returned after executing to completion. 

Correctness and laziness of the sequentialization 

We now formally prove the correctness and laziness of our sequentialization. We start with a lemma 
stating that function linear_int indeed computes linear interfaces of the parameterized program & 
(i.e. meets its post-condition). 

Lemma 2 Assume that linear _int when called with actual parameters «i, vi, .. . ,Vk-i, i termi- 
nates and returns. Ifs~is the valuation of the (global) variable s at return, then ({u\, . . . ,m), (v\, . . . ,V/_i,j)) 
is a linear interface of P. □ 

Consider a call to linear _int such that the precondition stated in page @T] holds. Using the above 
lemma we can show that the localized states from which we simulate the transition of 3? are discovered 
lazily, and that the program ensures that the precondition holds on recursive calls to linear _int. 

Lemma 3 Let ((vq,v\,... , v,-_i), (1*1, ...,«,•)) be an initial linear interface. Consider a call to linear _int 
with actual parameters u\ , . . . , u^ , vi , . . . , Vk- 1 , i. 

• Consider a localized state reached during an execution of this call, and let a statement of & be 
simulated on this state. Then the localized state is reachable in some execution of P. 

• Consider a recursive call to linear_int with parameters u\,...,u' k , vi, . . . ,vjt_i,j. Then 
( (vo , v 1 , . . . , vy_ 1 ) , {u'j , . . . , u'j) ) is a linear interface. □ 

Note that whenever the function main calls linear _int, it satisfies the pre-condition for linear _int. 
This fact along with the above two lemmas establish the soundness and laziness of the sequentialization. 
The following lemma captures the completeness argument: 

Lemma 4 Let p be a k-round execution of Then there is a wrapped initial linear interface 
((i<l, . . . ,Uk), (U2, ■ ■ ■ ,Uk,v)) that p conforms to, and a terminating execution p' of 3?J® such that at 
the end of p ', the valuation of the variables (q\,...,qk,s) is (ui,...,Uk,v). Furthermore, every localized 
state reached in p is also reached in p'. □ 

Consolidating the above lemmas, we have: 

Theorem 1 Given k € N and a parameterized program £P, an assertion is violated in a k-round execu- 
tion of & if and only if an assertion is violated in an execution of £? l £ zy . Moreover, & l £ zy is lazy: if 
& l £ zy simulates a statement of & on a localized state, then the localized state is reachable in £P. □ 
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4.2 Parameterized programs over finite data domains: 

A sequential program with variables ranging over finite domains can be modeled as a pushdown system. 
Analogously, a parameterized program with variables ranging over finite domains can be modeled as a 
parameterized multi-stack pushdown system, i.e., a system composed of a finite number of pushdown 
systems sharing a portion of the control locations, which can be replicated in an arbitrary number of 
copies in each run. A parameterized multi-stack pushdown system si is thus a tuple (S,So,{Ai}" =l ), 
where S is a finite set of shared locations, So C S is the set of the initial shared locations and for i 6 [1 , n], 
with A/ is a standard pushdown system whose set of control locations is S x L,- for some finite set L,. 
We omit a formal definition of the behaviors of si which can be easily derived from the semantics of 
parameterized programs given in Section [2j by considering that each s € S is the analogous of a shared 
state in the parameterized programs, a state of each A; is the analogous of a local state of a process, and 
thus (s, I) G 5 X L{ corresponds to a localized state. 

Following the sequentialization construction given earlier in this section to construct the sequential 
program £P 1 ^ 7 - from a parameterized program we can construct from si a pushdown system si^ such 
that the reachability problem under Ground schedules in si can be reduced to the standard reachability 
problem in si^. Also, the number of locations of si^ is 0(£k 2 \S\ 2k ) and the number of transitions of si^ 
is 0(£dk 3 \S\ 2k ~ l ) where I is Yl\=\ l^'l an d d is the number of the transitions of A\, . . . ,A n . 

Theorem 2 Let si be a parameterized multi-stack pushdown system and k € N. Reachability up to k- 
round schedules in si reduces to reachability in si^. Moreover, the size of si^ is singly exponential in k 
and linear in the product of the number of locations and transitions of si. □ 

5 Conclusions and Future Work 

We have given an assertion-preserving efficient sequentialization of parameterized concurrent programs 
under bounded round schedules. 

An interesting future direction is to practically utilizing the sequentialization to analyze parameter- 
ized concurrent programs. For concurrent programs with a finite number of threads, bounded-depth 
verification using SMT solvers has worked well, especially using eager translations Ifl4l l8l. However, 
since the sequentialization described in this paper introduces recursion even for bounded-depth concur- 
rent programs, it would be hard to verify the resulting sequential program using SMT solvers. We believe 
that verifying the sequential program using abstract interpretation techniques that are context-sensitive 
would be an interesting future direction to pursue; in this context, the laziness of the translation presented 
here would help in maintaining the accuracy of the analysis. 

Finally, sequentializations can also be used to subject parameterized programs to abstraction-based 
model-checking. It would be worthwhile to pursue under-approximation of static analysis of concurrent 
and parameterized programs (including data-flow and points-to analysis) using sequentializations. 
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